SHB is a small invitational gathering of people
studying various aspects of the human side of security, organized
each year by Alessandro Acquisti, Ross Anderson, and myself. The 50
or so people in the room include psychologists, economists, computer
security researchers, sociologists, political scientists,
neuroscientists, designers, lawyers, philosophers, anthropologists,
business school professors, and a smattering of others. It's not
just an interdisciplinary event; most of the people here are
individually interdisciplinary.

The goal is to maximize discussion and
interaction. We do that by putting everyone on panels, and limiting
talks to 7-10 minutes. The rest of the time is left to open
discussion. Four hour-and-a-half panels per day over two days equals
eight panels; six people per panel means that 48 people get to speak.
We also have lunches, dinners, and receptions – all designed so
people from different disciplines talk to each other.

I invariably find this to be the most
intellectually stimulating conference of my year. It influences my
thinking in many different, and sometimes surprising, ways.

Facebook introduced new
disclosure rules for political advertisements this week designed to
block bad actors from meddling in elections. But in the meantime,
the rules are blocking legitimate candidates from buying Facebook ads
— and at least one congressional candidate in Mississippi says it
could tip the election toward his opponent.

The rules that Facebook
implemented in the United States this week require anyone wishing to
buy a political ad to verify their identity. To do so, Facebook
mails a card to their physical location containing an authorization
code. Only after the candidate or advocacy group enters that
authorization code on Facebook can they purchase political ads.

Facebook began allowing
political advertisers to start the verification process on
April 23rd. The company promoted the new process with a blog
post and messages inside Facebook directed at administrators of
political pages. In May, it also sent emails to page administrators
advising them of the changes.

But not everyone got the
message — and now some are scrambling to come up with a Plan B
ahead of June 5th primary elections.

… Yesterday, Rose’s
campaign planned to buy 500 different Facebook ads. The first batch
were approved shortly before the new rules took effect. But when
Rose went to buy the remainder, he received a message from Facebook
saying his ads had not been authorized. Rose filled out the required
online forms attesting to his identity. At the end, Facebook said it
would send Rose an authorization code in the mail. He
was told it would arrive in 12 to 15 days — by which point the
election would be over.

…
Richard Boyanton, who is mounting a primary challenge to Republican
Sen. Roger Wicker (R-MS), also found himself stymied by the new
rules. … Then yesterday, Facebook informed him he would need to
verify his identity before he could buy more ads. He had received a
message from the company two or three weeks ago, he said, but
he did not realize that he would be prevented from running ads if he
did not follow the steps laid out in the message.

Leaked
Documents Show Facebook’s Post-Charlottesville Reckoning with
American Nazis

… In January, 5 months after Charlottesville,
Facebook added slides discussing the company’s position on white
nationalism, supremacy, and separatism. While it says Facebook does
not allow praise, support, or representation of white supremacy, it
does allow the same sort of positions for white nationalism and
separatism, according to one of the slides obtained by Motherboard.

Explaining its motivation, another section of the
document reads that nationalism is an “extreme right movement and
ideology, but it doesn't seem to be always associated with racism (at
least not explicitly).” Facebook then acknowledges that “In
fact, some white nationalists carefully avoid the term supremacy
because it has negative connotations.”

… Facebook classifies hate groups,
individuals, and high profile figures based on “strong, medium, and
weak signals,” according to one of the documents focused on hate
speech in America. A strong signal would be if the individual is a
founder or prominent member of a hate organization (or, “h8 org”,
in Facebook parlance); medium would include the name or symbol of a
banned hate group, or using dehumanizing language against certain
groups of people. Partnership or some form of alliance with a banned
hate organization—including participating in rallies together, of
particular relevance to events like Charlottesville—Facebook sees
as a weak signal, as well as an individual receiving a guilty verdict
for distributing forbidden propaganda material.

Heat
Map Tool is a tool for easily creating heat maps or incident maps
from a CSV
file. To create a heat map all you need to do is upload a CSV
file then specify your desired display attributes like scale, colors,
and opacity. You can edit the display attributes of your map
whenever you like. If you're wondering how to create a CSV file you
can do so by exporting from a spreadsheet in Google Documents or
exporting from an Excel file. Click
here for directions on exporting from Excel. The free version of
Heat Map Tool allows you to have up to 100 data points on your map
and up to 500 hits per day on your map.

Friday, May 25, 2018

A notice from Google this morning (emphasis is
mine) as I write my Blog.

European
Union laws require you to give European Union visitors information
about cookies used and data collected on your blog. In many cases,
these laws also require you to obtain consent.

As a
courtesy, we have added a notice on your blog to explain Google's use
of certain Blogger and Google cookies, including use of Google
Analytics and AdSense cookies, and other data collected by Google.

You
are responsible for confirming this notice actually works
for your blog, and that it displays. If you employ other cookies,
for example by adding third party features, this notice may not work
for you. If you include functionality from other providers there may
be extra information collected from your users.

Activists
Are Already Targeting Google and Facebook Over Europe's New Data
Privacy Law That Went Live Today

Europe’s sweeping
new data privacy regime came into effect this morning, and
privacy activists are not wasting time in flexing their muscles. One
organization has already made official data protection complaints
about Google,
Facebook,
WhatsApp and Instagram, while another is going after the shadowy data
brokers that trade people’s information behind the scenes.

The complaints about Google, Facebook and
Facebook’s subsidiaries come from a group called None Of Your
Business (NOYB)—a non-profit founded
by the very successful serial Facebook litigant Max Schrems.
Schrems, the Austrian lawyer who annihilated
the U.S.-EU Safe Harbor data-sharing agreement a few years ago,
formed the crowdfunded NOYB in order to take on big tech firms that
break the EU’s new General Data Protection Regulation (GDPR.)

The
scene was set last week when Air Marshall Phil Collins (Chief of
Defence Intelligence, UK Ministry of Defence) spoke at the Royal
United Services Institute (RUSI). In his speech
Collins talked about the growing use of non-kinetic (primarily cyber)
warfare.

"We
can see numerous examples of this today," he said:
"unprecedented industrial espionage activity against the UK and
Allies; private security contractors being used in high-end
expeditionary warfare in Syria; cyber-attacks against national
infrastructure and reputation across Europe; information operations
that attempt to pervert political process and frustrate the rule of
law; and attempted assassinations."

He
warned that the nature of modern warfare is becoming broader, more
strategic, and features "continuous full spectrum competition
and confrontation."

… The
implication is that the UK requires the ability (and he makes it
clear that he believes the UK has that ability) to both respond to
cyber-attacks and if necessary launch preemptive cyber-attacks
effectively in self-defense.

Facebook’s new archive for U.S. political ads —
created to give users more information about who is advertising on
Facebook and who they are trying to target — went live today. The
archive was first announced
in October.

The archive is available to view at
facebook.com/politicalcontentads.
The archive contains both ads promoting candidates for political
office as well as those that Facebook has deemed to be “issue ads”
— ads that touch on a list of 20 hot-button topics that Facebook
released earlier this month. These ads will also be labeled in
users’ news feeds starting today, with a “paid for by” tag.
Political and issue ads on Instagram will also be labeled.

For my Software
Architecture class to design a fix and my Computer Security class to
fix this design.

News broke out earlier this week that Amazon’s
Alexa assistant recorded a private conversation between two people
and then sent that recording to a third party. Alexa, of course, is
supposed to listen to everything you say but only act when you utter
the designated hotwords that invoke the assistant.

… Amazon explained
to Recode what caused this privacy infringing incident.
Here’s what happened — we’ve broken down Amazon’s statement
into all the steps Alexa went through to dispatch the message:

Echo woke up due to a word in background
conversation sounding like “Alexa.”

Then, the subsequent conversation was
heard as a “send message” request.

At which point, Alexa
said out loud “To whom?” At which point, the
background conversation was interpreted as a name in the customer’s
contact list.

As unlikely as this string of events is,
we are evaluating options to make this case even less likely.”

All this sounds extremely unlikely but it also
kind of explains what happened perfectly. To recap, the woman was
talking to her husband and a partial recording of their chat was then
sent to one of his employees who lives in a different state.

It’s always possible that one of the two people
in the chat said a word that sounded like Alexa, triggering a
sequence of events as described above. They may have also mentioned
a name that sounded just like the name of the man’s employee and
used words that may have been interpreted as confirmation to send a
message.

But, no matter how you look at it, this is a
serious issue. Apparently, Alexa can misinterpret its own hotword,
which is definitely not something you want from the assistant.

(Related) Using this system to confirm the
validity of stolen information?

Here’s something we don’t see everyday, and it
involves Kentucky-based health insurer Humana.
Humana’s technology team became suspicious after there
were a number of calls to an 800 number of Humana’s that involved
their Interactive Voice Response system where the
caller was able to authenticate as a member by providing date of
birth, zip code, and Humana ID number or Social Security Number, but
then never went further with the system to request anything.
So were the calls simply to verify the accuracy of member
information in preparation for some other attack or misuse? It wasn’t
clear, but Humana wisely took action.

Humana blocked the phone numbers associated with
the suspicious calls, notified
members, and offered them protective services through Equifax’s
Credit Watch Gold service. And of course, they continue to monitor
for any other suspicious behavior.

Designing in Security checks is good. Ignoring
Security checks is all too common.

A 28 billion-euro ($35 billion) payments
error at Deutsche Bank AG in March wasn’t the first such
blunder to befall the lender.

In March 2014, the German bank mistakenly sent 21
billion euros to Macquarie
Group Ltd. as collateral for an over-the-counter derivatives
trade, according to a person familiar with the matter who declined to
be identified. That incident led directly to the introduction of
fail-safes, though these didn’t catch the latest gaffe, the person
said.

… While the New York Fed warned the firm in
late 2013 about persistent deficiencies in its processes, lapses have
continued, demonstrating the challenge facing new Chief Executive
Officer Christian Sewing as he seeks to return the bank to growth and
placate
U.S. regulators.

… The 2018 error was caused by the input of
euros instead of yen, Sewing told shareholders in Frankfurt on
Thursday…

… The 2014 over-payment was a result of human
error while using a collateral management system, the person familiar
said. A control system that requires at least two pairs of eyes to
look at transactions of a certain size also failed, they said.

Following the error, Deutsche Bank designed an
enhanced “bear trap” system, whereby all payments over a certain
size were subjected to increased scrutiny, according to the person.
Yet that failed to prevent the more recent gaffe in March of this
year.

Epic Games’ Fortnite
generated $296 million in the month of April across mobile, console,
and PC platforms, according to digital game sales tracker SuperData
Research. That amount is more than double what
the game generated in the month of February, when it earned $126
million and surpassed Playerunknown’s Battlegrounds in
monthly salesfor the first time.

The big difference between
the games, and what really makes Fortnite shine, is Epic’s
free-to-play
model, which gets the title into as many players’ hands as possible
and recoups the money, and then some, by way of in-game purchases.
Epic sells players cosmetic
items that do not affect gameplay, including goofy and
topical character costumes and in-game dance moves purely for vanity
purposes. It also sells a season subscription called the Battle Pass
for around $10. Still, the company sells these items at such an
alarming quantity that Fortnite made more money in April
than Avengers:
Infinity War did on its opening weekend later that same
month.

Pornhub is launching
its own VPN service today with free
and unlimited bandwidth. The VPN is supposed to help
users avoid ISP throttling and geographic limitations. It’s also
designed to let users transmit data anonymously without saving or
collecting any of that data.

Thursday, May 24, 2018

Forward
Secrecy’s day has come – for most. The cryptographic technique
(sometimes called Perfect Forward Secrecy or PFS), adds an additional
layer of confidentiality to an encrypted session, ensuring that only
the two endpoints can decrypt the traffic. With forward secrecy,
even if a third party were
to record an encrypted session, and later gain access to the server
private key, they could not use that key to decrypt a session
protected by forward secrecy. Neat, huh?

Forward
secrecy thwarts large-scale passive surveillance (such as might be
conducted by a snooping nation state or other well-resourced threat
actor) so it is seen a tool that helps preserve freedom of speech,
privacy, and other
rights-of-the-citizenry.

It
is supported and preferred by every major browser, most mobile
browsers and applications, and nearly 90% of TLS hosts on the
Internet, according to a recent TLS Telemetry report (PDF).
The crypto community applauds forward secrecy’s broad acceptance
today.

In the weeks since Mark Zuckerberg’s testimony
to Congress, Facebook has made two important policy announcements.
The company released a document explaining what posts and accounts it
removes on the basis of its internal rules, known as “community
standards,” and itengaged
outside consultants to review the social media platform’s
impact on various communities. The company also released its first
transparency
report on the enforcement of its community standards.

These are all welcome developments, but they lay
bare a fundamental question raised by Zuckerberg himself: What
obligations does the public want companies to fulfill when deciding
which speech deserves a place on the Internet and social media?
The Supreme Court recently
called the internet and social media platforms “the most
important places…for the exchange of views,” so the question is
not simply an academic exercise.

Facebook
users worldwide are being asked to review their privacy settings as
GDPR looms

Facebook
users will soon see a notice on their accounts asking them to review
their privacy settings, as the company prepares for the rollout of
new data protection rules in Europe.

The alert, which starts
appearing this week, asks users across the globe to
reassess their preferences for the types of personal data Facebook
can use for ad targeting and whether they'll submit to facial
recognition. They'll be given the chance to review the information
they share on their profiles, including political and religious
affiliations and relationship status.

Consumers will see how Facebook uses their
activity to send targeted ads and what the company does with its
facial recognition tools. Facebook will show them which features
they currently have turned on, allowing them to opt out if they
choose.

Though Facebook is facing a barrage of criticism
in the U.S. over data protection, following the Cambridge Analytica
scandal in March, this week's notice is in response to the General
Data Protection Regulation in Europe. The
alert has already appeared for European users, but this time it is
getting a worldwide rollout.

… Facebook is today making three important
announcements on false
news, to which WIRED got an early and exclusive look.

… The first new announcement is a
request for proposals from academics eager to study false news on the
platform. Researchers who are accepted will get data and money; the
public will get, ideally, elusive answers to how much false news
actually exists and how much it matters. The second
announcement is the launch of a public education campaign that will
utilize the top of Facebook’s homepage, perhaps the most valuable
real estate on the internet. Users will be taught what false news is
and how they can stop its spread. Facebook knows it is at war, and
it wants to teach the populace how to join its side of the fight.
The third announcement—and the one the company seems most
excited about—is the release of a nearly 12-minute video called
“Facing Facts,” a title that suggests both the topic and the
repentant tone.

United
Kingdom Att’y General’s Speech on International Law and Cyber:
Key Highlights

On Wednesday, the United Kingdom’s Attorney
General, Jeremy Wright, QC MP, gave a speech at Chatham House on the
role of international law in cyberspace. It is the first official
statement of the UK’s overarching view on the topic, including on
some specific issues that are at the center of international policy
and debate (the speech can be found here.)
Here are eight key points:

First, it is
important for states to publicly articulate their understanding of
international law, especially in cyberspace. Wright acknowledged
that rapidly changing technology and developing norms made clear
rules difficult, but he warned against allowing cyberspace to become
a “grey area.”

Twitter will start adding labels to the profiles
of candidates running in the 2018 midterm elections after May 30th.

… The
label,which will apply to all
candidates running for state governor, U.S. Senate or U.S. House of
Representatives, will contain the office the candidate is running
for, the state the office is located in, their district number (when
applicable), and other identifying information.

The label will be marked with a small icon
of a government building, and will appear on the Twitter page of the
candidate as well as alongside all tweets sent or retweeted by the
account.

I’m not into watches or wristbands, but for the
last few weeks I’ve been wearing a fitness tracker on my finger.
It knows how long I sleep and detects when I walk or run, and all
I’ve gotta do is wear it like jewelry and forget about it.

The device is the Motiv
Ring. Its features and its iOS app are minimalist compared to
what a Fitbit or an Apple Watch can do, which is part of why I like
it.

… The ring doesn’t have a screen, just a
tiny light that changes color when it charges or when it’s syncing
with your phone. (You can force it to sync by spinning the ring
around your finger, or ask it to ring your phone by spinning one way
and then the other.) The ring doesn’t need to sync constantly, so
you don’t need to worry if your phone dies or if you’d rather go
to the gym without your phone. It can hang onto a few days’ data
if needed.

Following high-profile incidents involving
autonomous vehicle technologies, a new report from AAA’s multi-year
tracking study indicates that consumer trust in these vehicles has
quickly eroded. Today, three-quarters (73 percent) of American
drivers report they would be too afraid to ride in a fully
self-driving vehicle, up significantly from 63 percent in late 2017.
Additionally, two-thirds (63 percent) of U.S. adults report they
would actually feel less safe sharing the road with a
self-driving vehicle while walking or riding a bicycle.

Walmart’s
agreement on June 9 to purchase
77% of Flipkart for $16 billion mints two engineer billionaires
in India. Binny Bansal and Sachin Bansal, who co-founded Flipkart
and who are not related, each reportedly own about 5% of the Indian
online retailer. They will have a net worth about $1 billion when
the transaction with Walmart is completed later this year. It will
mark a major business success for professionals in India, outside the
information technology businesses. The example of the founders,
including their initial failures, will inspire more professionals in
India to risk starting an enterprise.

Flipkart is
India’s largest online retailer with an estimated 40% market share.
Amazon, its main and tough competitor, has about a third of the
market.

Perspective. Too trusting or setting the
President up for further legal action?

A federal district court judge on Wednesday ruled
that President Trump
can't block people from viewing his Twitter feed over their political
views.

Judge Naomi Reice Buchwald, of the U.S. District
Court for the Southern District of New York, said President Trump’s
Twitter account is a public forum and blocking people who reply to
his tweets with differing opinions constitutes viewpoint
discrimination, which violates the First Amendment.

… Buchwald, who was appointed by former
President Clinton, rejected Trump’s argument that the First
Amendment does not apply in this case and that the president’s
personal First Amendment interests supersede those of the plaintiffs.

She suggested in her
75-page opinion that Trump could have ignored his opponents’ reply
tweets.

… But Buchwald
did not order Trump or Scavino to unblock the individual plaintiffs
in the case or prohibit them from blocking others from the account
based on their views as the plaintiffs’ had asked.

She said a declaratory
judgment should be sufficient.

“Because no government official is above the law
and because all government officials are presumed to follow the law
once the judiciary has said what the law is, we
must assume that the President and Scavino will remedy the blocking
we have held to be unconstitutional,” Buchwald wrote.

Chipotle
Mexican Grill to close Denver headquarters, relocate staff to
California and Ohio

The company said
in a news release the headquarters will move to Newport Beach, Calif.
and other functions within the Denver office will move to the
company’s existing office in Columbus, Ohio.

… The news comes as a surprise to some in
Denver, as the company announced
in December it was moving its headquarters to a new office tower
downtown that was still under construction.

"We wish @ChipotleTweets all the best. We
want their existing employees to know we have services that can help
them find new jobs," Gov. John Hickenlooper tweeted
Wednesday afternoon. His wife, Robin, has sat on Chipotle's board of
directors since December 2016.

It signed a 15-year lease for five floors of a
40-story skyscraper located on 15th Street between Arapahoe and
Lawrence streets. The status of the lease is currently unclear,
though the building held its grand opening in recent months.

The CEO at the time, Steve Ells, said: “Our
roots are here, and this contemporary, collaborative and modern space
will position us to look ahead to the next 25 years.”

… Paul Seaborn, an assistant professor of
management at the University of Denver, has watched Chipotle's
performance closely and co-wrote a case study last year for an
international competition that focused on the key challenges facing
the company. He said Chipotle's new CEO is cooking up a culture
shock with this latest move.

… Seaborn also said he believes there are no
real benefits to moving the headquarters to Newport Beach other than
the new CEO's own connections to California. As the former CEO of
Taco Bell its headquarters are in nearby Irvine, California.

"This seems much more of a personal
management decision," said Seaborn. "This particular move
is going to create a big question around retention and who are the
key employees that they feel are really pushing the company forward
and can they get them to move to California."

The FBI denied
ZDNet's request for information on these phones. The
bureau said the information was exempt from disclosure, as the
records "could reasonably be expected to interfere with
enforcement proceedings."

Internally though the FBI knew they miscounted the
devices as of a month ago. The
bureau still doesn't have an accurate count of how many encrypted
phones it has from last year.

Amazon is
selling police departments a real-time facial recognition system

The
Verge: “Documents obtained
by the ACLU of Northern California have shed new light on
Rekognition, Amazon’s little-known facial recognition project.
Rekognition is currently used by police in Orlando and Oregon’s
Washington County, often using nondisclosure agreements to avoid
public disclosure. The result is a powerful real-time facial
recognition system that can tap into police body cameras and
municipal surveillance systems. According to further
reporting by The Washington Post, the Washington County
Sheriff pays between $6 and
$12 a month for access to Rekognition, which allows the
department to scan mug shot photos against real-time footage. The
most significant concerns are raised by the Orlando project, which is
capable of running real-time facial recognition on a network of
cameras throughout the city. The project was described by
Rekognition project director Ranju Das at
a recent AWS conference in Seoul…”

There are probably many, many “special
circumstances.” No doubt some future AI will deal with them.

The company's been accused of displaying the names
of rape victims through its Autocomplete and Related Search functions
– even when the victims have been granted anonymity by the courts.

The problem is that both features use data
gathered from previous searches to predict what information the user
is looking for and make suggestions. If enough people know a
victim's name and use it as one of their search terms, Google's
algorithm will provide a helpful prompt to those that don't.

In the US, there's no legal prohibition on
publishing the names of rape victims, although the media tend to
avoid doing so. In many countries, however, it's against the law.
And the UK's Times
newspaper has uncovered several cases in which Autocomplete and
Related Search have revealed the names of rape victims and others who
have official anonymity.

(Related) Somehow, “send us your private porn
so we can block your private porn” does not seems to be entirely
satisfactory. Imagine the lawsuits if this database leaks!

It’s demeaning and devastating when someone’s
intimate images are shared without their permission, and we want to
do everything we can to help victims of this abuse. We’re now
partnering with safety organizations on a
way for people to securely submit photos they fear will be shared
without their consent, so
we can block them from being uploaded to Facebook, Instagram and
Messenger. This pilot program, starting in Australia,
Canada, the UK and US, expands on existing tools for people to report
this content to us if it’s already been shared.

… The website,
used by customers to set up their home internet and cable service,
can be tricked into displaying the home address where the router is
located, as well as the Wi-Fi name and password.

… The site returned the Wi-Fi name and
password – in plaintext
-- used to connect to the network for one of the customers who uses
an Xfinity router. The other customer was using his own router –
and the site didn't return the Wi-Fi network name or password.

Inside
'Project Indigo,' the quiet info-sharing program between banks and
U.S. Cyber Command

A confidential information-sharing agreement
between the Financial Services Information Sharing and Analysis
Center (FS-ISAC) and U.S. Cyber Command reveals the blurring line
between the country’s public and private sectors as the U.S.
government becomes increasinglyreceptive
to launching offensive hacking operations.

… The broad purpose of Project Indigo is to
help inform U.S. Cyber Command about nation-state hacking aimed at
banks. In practice, this intelligence is independently evaluated
and, if appropriate, Cyber Command responds under its own unique
authorities.

It’s possible that a bank could tip off the
military about a cyberattack against the financial industry,
prompting Cyber Command to react and take action. That could include
providing unique insight back to FSARC or even taking offensive
measures to disrupt the attacker — such as retaliatory hacking —
if it’s appropriate and the Pentagon approves it, according to
current and former U.S. officials.

Isn’t this what Hillary Clinton said about email
servers? Good thing the President doesn’t email…

President Donald Trump uses a White House
cellphone that isn’t equipped with sophisticated security features
designed to shield his communications, according to two senior
administration officials — a departure from the practice of his
predecessors that potentially exposes him to hacking or surveillance.

The president, who relies on cellphones to reach
his friends and millions of Twitter followers, has rebuffed staff
efforts to strengthen security around his phone use, according to the
administration officials.

… While aides have urged the president to swap
out the Twitter phone on a monthly basis, Trump has resisted their
entreaties, telling them it was “too inconvenient,” the same
administration official said.

The president has gone as long as five months
without having the phone checked by security experts. It is unclear
how often Trump’s call-capable phones, which are essentially used
as burner phones, are swapped out.

Last week the PGPocalipse was all over the news…
Except that, well, it wasn’t an apocalypse.

A team of researchers published a
paper(PDF) where they describe how to decrypt a PGP encrypted
email via a targeted attack. The research itself is pretty well
documented and, from a security researcher perspective, it’s a good
paper to read, especially the cryptography parts.

But we here at Hackaday
were skeptical about media claims that Efail had broken PGP.
Some media reports went as far as recommending everyone turn off PGP
encryption on all email clients, but they weren’t able to back this
recommendation up with firm reasoning. In fact, Efail isn’t an
immediate threat for the vast majority of people simply because an
attacker must already have access to an encrypted email
to use the exploit. Advising everyone to disable encryption all
together just makes no sense.

Aside from the massive false alarm, Efail is a
very interesting exploit to wrap your head around. Join me after the
break as I walk through how it works, and what you can do to avoid
it.

More that TSA on steroids, this is Big Brothering
at its best. Any country could do this, including the US.

China's
social credit system has blocked people from taking 11 million
flights and 4 million train trips

China's social credit system has blocked people
from taking 11.14 million flights and 4.25 million high-speed train
trips.

The numbers, from the end of April, were included
in a report by China's state-run news outlet Global
Times, but it is unclear what offenses those targeted in the
travel ban have committed.

The social credit system is actually a collection
of blacklists, of which there are more than a dozen at the national
level. Each list is based on similar offenses — such as
misbehavior on planes and trains, or failing to abide by a court
judgment — and determines the punishments
people face, from throttling
internet speeds to blocking loans.

… the Directorate for Signals Intelligence,
Japan’s version of the National Security Agency.

The directorate has a history that dates back to
the 1950s; its role is to eavesdrop on communications. But its
operations remain so highly classified that the Japanese government
has disclosed little about its work – even the location of its
headquarters. Most Japanese officials, except for a select few of
the prime minister’s inner circle, are kept in the dark about the
directorate’s activities, which are regulated by a limited legal
framework and not subject to any independent oversight.

Now, a new
investigation by the Japanese broadcaster NHK — produced in
collaboration with The Intercept — reveals, for the first time,
details about the inner workings of Japan’s opaque spy community.
Based on classified documents and interviews with current and former
officials familiar with the agency’s intelligence work, the
investigation shines light on a previously undisclosed internet
surveillance program and a spy hub in the south of Japan that is used
to monitor phone calls and emails passing across communications
satellites.

… while digital marketers are aware of the
strict new regulatory regime, seemingly few have taken active steps
to address how it will impact their day-to-day operations.

GDPR will force marketers to relinquish much of
their dependence on behavioral data collection. Most critically, it
will directly implicate several business practices that are core to
current digital ad targeting. The stipulation that will perhaps
cause most angst is the new formulation for collecting an
individual’s consent to data gathering and processing; GDPR
requires that consent
be active (as opposed to passive) and represent a
genuine and meaningful choice. Digital marketers know
that users of internet-based services like Snapchat, Facebook, and
Google technically provide consent by agreeing to these companies’
terms of service when they sign up. But does this constitute an
active and genuine choice? Does it indicate that the user is willing
to have her personal data harvested across the digital and physical
worlds, on- and off-platform, and have that data used to create a
behavioral profile for digital marketing purposes? Almost
certifiably
not.

… Many companies, acting based on poor legal
advice, a fear of fines of up to €20m (£17.5m) and a lack of good
examples to follow, have taken what they see as the safest option for
hewing to the General
Data Protection Regulation (GDPR): asking customers to renew
their consent for marketing communications and data processing.

… “Businesses are not required to
automatically ‘repaper’ or refresh all existing 1998 Act consents
in preparation for the GDPR,” Vitale said. “The first question
to ask is: which of the six legal grounds under the GDPR
should you rely on to process personal data? Consent is only one
ground. The others are contract, legal obligation, vital interests,
public interest and legitimate interests.

The ongoing, and sometimes loud, debate about how
many and what kinds of jobs smart machines will leave for humans to
do in the future is missing a salient point: Just as the automation
of human work in the past allowed people and machines to do many
things that couldn’t be done before, groups of people and computers
working together will be able to do many things in the future that
neither can do alone now.

No doubt this is their strategy to entice kids to
write rather than Tweet.

U.S. Postal
Service announces first-ever scratch and sniff stamp with popsicle
scent

… The U.S. Postal Service said Monday that it
will issue its first-ever scratch-and-sniff stamps that will aim to
evoke the sweet scent of summer. The 10 different stamp designs each
feature a watercolor illustration of two different ice pops on a
stick.

There will be one scent for all of the stamps and
the secret smell will be unveiled when the Postal Service issues the
stamps on June 20, according to U.S. Postal Service public relations
representative Mark Saunders.

NBC
News4 I-Team – Washington, DC – “The technology can be as
small as a suitcase, placed anywhere at any time, and it’s used to
track cell phones and intercept calls. The News4 I-Team found dozens
of potential spy devices while driving around Washington, D.C.,
Maryland and Northern Virginia. “While you might not be a target
yourself, you may live next to someone who is. You could still get
caught up,” said Aaron Turner, a leading mobile security expert.
The device, sometimes referred to by the brand name StingRay, is
designed to mimic a cell tower and can trick your phone into
connecting to it instead. The News4 I-Team asked Turner to ride
around the capital region with special software loaded onto three
cell phones, with three different carriers, to detect the devices
operating in various locations. “So when you see these red bars,
those are very high-suspicion events,” said Turner. If you
live in or near the District, your phone has probably been tracked at
some point, he said. A recent report by the Department of
Homeland Security called the spy devices a real and growing risk.
And the I-Team found them in high-profile areas like outside the
Trump International Hotel on Pennsylvania Avenue and while driving
across the 14th Street bridge into Crystal City. The I-Team got
picked up twice while driving along K Street — the corridor popular
with lobbyists. “It
looks like they don’t consider us to be interesting, so they’ve
dropped us,” Turner remarked looking down at one of his
phones. Every cellphone has a unique identifying number. The phone
catcher technology can harness thousands of them at a time. DHS has
warned rogue devices could
prevent connected phones from making 911 calls, saying,
“If this type of attack occurs during an emergency, it could
prevent victims from receiving assistance.” “Absolutely. That’s
a worry,” said D.C. Councilwoman Mary Cheh, adding that the spy
technology should be a concern for all who live and work in the
District. The I-Team’s test phones detected 40 potential locations
where the spy devices could be operating, while driving around for
just a few hours…”

Washington
Post – “Technology has made the repo man ruthlessly
efficient, allowing this familiar angel of financial calamity to
capitalize on a dark corner of the United States’ strong economy:
the soaring number of people falling behind on their car payments.”

“…Derek Lewis works for Relentless Recovery,
the largest repo company in Ohio and its busiest collector of license
plate scans. Last year, the company repossessed more than 25,500
vehicles — including tractor trailers and riding lawn mowers.
Business has more than doubled since 2014, the company said. Even
with the rising deployment of remote
engine cutoffs and GPS locators in cars, repo agencies remain
dominant. Relentless scanned 28 million license plates last year, a
demonstration of its recent, heavy push into technology. It now has
more than 40 camera-equipped vehicles, mostly spotter cars. Agents
are finding repos they never would have a few years ago. The
company’s goal is to capture every plate in Ohio and use that
information to reveal patterns… “It’s kind of
scary, but it’s amazing,” said Alana Ferrante, chief executive of
Relentless… Repo agents
are responsible for the majority of the billions of license plate
scans produced nationwide. But they don’t control
the information. Most of that data is owned by Digital
Recognition Network (DRN), a Fort Worth company that is the largest
provider of license-plate-recognition systems. And DRN
sells the information to insurance companies, private investigators —
even other repo agents. DRN is a sister company to Vigilant
Solutions, which provides the plate scans to law enforcement,
including police and U.S. Immigration and Customs Enforcement. Both
companies declined to respond to questions about their operations…
For repo companies, one worry is whether they are producing
information that others are monetizing…”

I wonder if I could integrate Fakey into my
Computer Security class. (Probably, yes.)

Indiana
University Bloomington: “Researchers at CNetS, IUNI,
and the Indiana
University Observatory on Social Media have launched upgrades to
two tools playing a major role in countering the spread of
misinformation online: Hoaxy
and Botometer.
A third tool Fakey
— an educational game designed to make people smarter news
consumers — also launches with the upgrades. Hoaxy is a search
engine that shows users how stories from low-credibility sources
spread on Twitter. Botometer is an app that assigns a score to
Twitter users based on the likelihood that the account is automated.
The two tools are not integrated so that one can now easily detect
when information is spreading virally, and who is responsible for its
spread. Hoaxy and Botometer currently process hundreds of thousands
of daily online queries. The technology has enabled researchers,
including
a team at IU, to study how information flows online in the
presence of bots. Examples are a
study on the cover of the March issue of Science that analyzed
the spread of false news on Twitter and an
analysis from the Pew Research Center in April that found that
nearly two-thirds of the links to popular websites on Twitter are
shared by automated accounts. Fakey
is a web and mobile news literacy game that mixes news stories with
false reports, clickbait headlines, conspiracy theories and “junk
science.” Players earn points by “fact-checking” false
information and liking or sharing accurate stories. The
project, led
by IU graduate student Mihai Avram, was created to help people
develop responsible social media consumption habits. An Android
app is available, and an iOS versions will launch shortly…”

Microsoft announced today that it has acquired
Semantic Machines, a Berkeley-based startup that wants to solve one
of the biggest challenges in conversational AI: making chatbots sound
more human and less like, well, bots.

Perspective. What is a good number? How much do
we spend to predict/prevent school shootings?

A Stimson Center working group released a study
last week on the costs of America’s counterterrorism efforts, and
it found about what you’d expect: nearly 17 years after 9/11, we
still don’t know exactly how much we have spent, but it’s a ton.
Over $2.8 trillion, at least. The staggering numbers grabbed
headlines on Wednesday, as they should. With this struggle closing
in on the two-decade mark, we need to have a frank accounting of the
threats we face and how much spending
is enough to keep Americans safe. But beyond the matter of raw
dollars spent, the report raises deeper questions about what counts
as counterterrorism and whether our funding matches our strategy.

… What at first glance might appear to be a
bean counting exercise is anything but. At a deeper level, this is
about our strategy and priorities in what we once aptly called the
long war. For example, my working group colleague John Mueller sees
the terrorist threat as dramatically less severe than I do, but he
nonetheless makes strong points, grounded in economic analysis, to
argue that we are overspending compared to the threat. In Mueller’s
estimation, our counterterrorism efforts would need to have saved at
least 250,000 lives to justify the expenditures we have made. These
are direct costs only. Mueller goes further in arguing
that the indirect economic costs of, for example, longer lines at
airports and border crossings and increased security at high profile
venues have cost us many billions more dollars.

How Much
Data Do We Create Every Day? The Mind-Blowing Stats Everyone Should
Read

The amount of data we produce every day is truly
mind boggling. There are
2.5 quintillion bytes of data created each day at our current
pace, but that pace is only accelerating with the growth of the
Internet of Things (IoT). Over the last two years alone 90 percent
of the data in the world was generated.

BusinessCloud:
“The British government’s entire online presence comprising
billions of web pages has been indexed and digitally archived to the
cloud for the first time. Manchester
tech firm MirrorWeb has devised an all-new indexing to create an
accessible,
searchable and user-friendly resource for the public. The
National Archives’ gigantic 120TB
web archive encompasses billions of web pages – from every
government department website and social media account – from 1996
to the present. It took MirrorWeb
– named among our 101
Rising Stars of the UK Start-up Scene last year – just two
weeks to transfer the data from 72 hard drives at The National
Archives to internal hard drives before transferring and digitally
archiving more than two decades of government internet history to the
cloud. As part of a four-year contract, MirrorWeb was tasked
with both moving the data to the cloud using Amazon Web Services as
well as indexing it. Indexing the data meant that MirrorWeb had to
write a complete replacement for the UK Government Web Archives’
previous search functionality. As a result, 1.4bn
documents were indexed and are now accessible and
searchable to researchers, students and the members of the public who
need to use them, enabling them to view websites and social media
content in their original form as well as search for content on
specific topics. John Sheridan, digital director of The National
Archives, said: “We are preserving 1,000 years of British history
and a big part of that is preserving the digital record of government
today…”

The Reconnaissance General
Bureau, North Korea’s equivalent to the CIA, has trained up the
world’s greatest bank-robbing crews. In just the past few years,
RGB hackers have struck more than 100 banks and cryptocurrency
exchanges around the world, pilfering more than $650 million. That
we know of.

… These thieves also have
one distinct advantage over other syndicates: They are absolutely
confident that they’ll never be charged. So it goes when your own
country sponsors your criminal mischief.

… Spread over five floors, hundreds of men and
women sit in rows of six scanning their computer screens. All have
signed nondisclosure agreements. Four trauma specialists are at
their disposal seven days a week.

They are the agents of Facebook. And they have
the power to decide what is free speech and what is hate speech.

This is a deletion center, one of Facebook’s
largest, with more than 1,200 content moderators. They are cleaning
up content — from terrorist propaganda to Nazi symbols to child
abuse — that violates the law or the company’s community
standards.

GDPR
is right around the corner, so it’s time to prepare your personal
data requests. If you live in the European Union, tech companies
have to comply with personal data requests after May 25th. And
there’s a handy website that helps you do just that.

My Data
Request lists dozens of tech companies and tells you how you can
contact them. The website also links to the privacy policy of each
service and tells you what to do even if you don’t live in the EU.

Some companies, such as Facebook, LinkedIn,
Twitter, Google, Tinder and Snapchat have made that easy as they have
created a page on their website to download a zip archive with all
your personal data.

… For most companies (including Amazon),
you’ll have to email them yourself. My Data Request has created
handy email templates. You just have to copy the message, put your
name and contact information and send the email. The email addresses
are listed on My Data Request’s site too.

Perspective. Will Chatbots need to be customized
for each industry/company? Possibly. Will I have to remember dozens
of different names to get anything done? (Or will there be an App
for that?)

Bank of America on Friday officially introduced
Erica, an AI-powered virtual assistant for its 25 million mobile
customers.

Erica, which Bank of America began rolling out to
customers in March, can help people conduct banking via voice
commands, text or with gestures from within the Bank of America app.
She can currently help customers with a variety of tasks:

Searching for
past transactions, such as checks written or shopping activity

Accessing key
information, such as routing numbers or the closest ATM

Scheduling
face-to-face meetings at a Bank of America financial center

Viewing bills
and scheduling payments

Locking and
unlocking debit cards

Transferring money between accounts or
sending money to friends with Zelle

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.